OWASP WebGoat Installation on Windows 7

WebGoat is an education tool used to learn more about web application flaws, such as SQL Injection, Cross-Site Scripting (XSS), Buffer Overflows, and other web application vulnerabilities.  Webgoat hasn’t been updated in a while but still looks useful as a learning platform so I decided to install it and give it a try.  (more details on the project are at https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)

I ran into some issues installing it in Windows 7 on one of my computers, and in searching Google for help found a couple of posts from others having the same problem (I did try to reply to at least one of the posts with this solution but the thread was old and was closed/locked.)

So in case it helps, if anyone comes across this blog post also looking for help in getting WebGoat working, here is how I finally got it running:

  • First, extract the file, in my case and for this example,  the webgoat folder is located at C:\WebGoat-5.3_RC1
  • There are ways to change the ports, but since this is only a regular PC that doesn’t already run a web server, make sure that you disable your World Wide Web Publishing service (if it’s running), otherwise it won’t run because port 80 is already in use.
  • Make sure you have Java runtime installed
  • From a command prompt, run the webgoat.bat script.  This will then launch a 2nd DOS window that starts up the Tomcat services.
  • Now here is where I ran into problems (as did some others)… when I went to http://localhost/webgoat/attack  ,  I got a 404 Not Found error.I tried with capital W and G as the docs suggested as well as all lowercase. I believe this is some redirect problem, because on another PC where I installed this later it worked fine from the start (all lowercase), but on the first computer I got the 404 error no matter how I formatted the URL.
  • What I did to fix the issue – is I copied the ‘webgoat‘ folder from C:\WebGoat-5.3_RC1\tomcat\webapps\webgoat into the ROOT folder at C:\WebGoat-5.3_RC1\tomcat\webapps\ROOT
  • Once I did that it finally prompted me to login and seems to be working fine.
I haven’t played around with it much further yet but the links all seem to be working.  So I just wanted to post this solution before I forgot how I got it working and in hopes this might help someone else.


8 Responses to “OWASP WebGoat Installation on Windows 7”

  1. treadmill reviews says:

    Much appreciated for the information and share!

  2. general forum says:

    as I website owner I think the content material here is really excellent , thanks for your efforts.

  3. finli johnson says:

    Thank you for this your blog it is very good and this post is amazing

  4. Ava says:

    I have really enjoyied reading your well written article. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!

  5. Jonny says:

    Thanks for the help AdminGal!
    I also had the 404 Not Found Error when trying to get WebGoat to work and your post helped me figure things out. I didn’t have to copy the webgoat folder into root to get things running, but I did make sure to run webgoat_8080.bat (port 8080) from the cmd prompt since I already had a webserver running on port 80. This solved my problem. Alternatively, I could shutdown my webserver on port 80 and then run webgoat.bat to have tomcat running on 80.
    I hope this helps future viewers.
    All the best!

  6. Paulo says:

    I have enjoyed your post but i have a problem. I am not getting post frames intercepted by webscarab. Do you know how i fix this problem.

    I have all application installed on my computer e webgoat is working. When i try to intercept frame from using method post i can´t do, so i can´t pratice all lessons because all methods area post.

    I did a test using get method and it worked very well.

    Please can you hel me? I´m using Windows 7.

  7. admingal says:

    I haven’t come across that problem, but you can always try using ZAP instead of Webscarab (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project). I have been using ZAP lately and prefer it over Webscarab.

  8. demspanish says:

    Thank you all for the comments, in my case i noticed that port 80 was in use by wamp, so i ran webgoat_8080.bat in cmd, then i navigated to http://localhost:8080/WebGoat/attack. VOILà !

Leave a Reply